These and other useful features such as the many plugins have made Wordpress and incredibly popular platform. In fact Wordpress now makes up 25% of all websites and as an IT Support company in Hertfordshire we have a great deal of experience of helping our customers to make their Wordpress business websites a productive and secure as possible. One potential weakness in Wordpress websites has however been highlighted by a recent DDoS cyber attack where the cyber criminals exploited the pingback feature in multiple Wordpress websites in order to use them as part of a cyber attack on another website.
In the latest reported Wordpress relates attack, researchers at Sucuri noticed that cyber criminals over a number of incidents used a huge network of 26,000 Wordpress websites to launch multiple Layer 7 (also known as flood) Denial of Service (DDoS) attacks. A Denial of Service (DDoS) attack is one where the perpetrator uses multiple compromised systems that are often infected with a Trojan virus to launch a single attack on one system.
In this most recent of a cyber attack involving Wordpress the perpetrators used a series of IP addresses (in the 184.108.40.206/24 range) to control the botnet of Wordpress sites. The 26,000 Wordpress websites were then used by the attacker to generate 10,000 to 11,000 HTTPS requests per second against one website. When subjected to a flood of requests of this kind (known as a Layer 7 or flood attack) servers are unable to handle the load, a large consumption of memory is caused, and the operation of the server is therefore seriously disrupted.
Nothing New For Wordpress
This recent DDoS attack is the most popular kind that is used against Wordpress, and is estimated to make up around 13% of all the attacks involving the system. The huge popularity and widespread knowledge of Wordpress are reasons why criminals continue to target the platform. According to Imperva’s 2015 annual Web Application Attack Report (WAAR) Wordpress is now thought to be the most attacked CMS with around 3.5. times more attacks than non-CMS applications. Only last year for example thousands of Wordpress sites were attacked or hijacked using malicious ‘Nutrino Exploit Kit’ code.
Some Protection Was In Place
The frequency of this kind of attack against Wordpress has meant that the system had an IP logging feature added to its version 3.9 to enable the IP address where ‘pingback’ requests originated to be noted. This should mean that the attacker’s IP shows in the log user agent. In this most recent case however the perpetrators were able to carry out an attack despite the logging feature being in place.
What Can You Do To Protect Your Website?
If you have a Wordpress website for your business one step that you can take to prevent it being used as part of a larger attack against other sites is to disable pingbacks. It is the pingback element of Wordpress that has repeatedly been responsible for so many of the attacks.
As an IT Support Company in Hertfordshire we are fortunate enough to work with many businesses in the local area who pride themselves of providing quality products and great service to their customers. Displaying testimonials and reviews online are great ways to let potential new customers know the kind of positive experience they are likely to have if they sign up, but what if those reviews are used against us either as a form of unfair competition, or simply to damage our online reputation?
We All Use Reviews
Figures show that we all use and put a high degree of trust in online reviews. This is certainly true in our world of IT Support where we are essentially providing a service that can only really be experienced while it is being used. A 2015 Bright Local survey for example showed the proportion of consumers who read online reviews for products and services to be as high as 92%, and showed that as much as 40% of consumers form an opinion by reading just 1 to 3 reviews. Online reviews therefore can have a powerful influence on our purchasing decisions, and over the fortunes of a business. As any business that has experienced the result of one or more prominent bad reviews on e.g. Trip Advisor will know the negative impact on trade can be significant.
Although last year’s UK Competition and Markets Authority (CMA) report about online reviews and endorsements put the estimate of UK consumers who use online reviews at only 54% it did highlight one of the major concerns for businesses that has led to a lack of trust in online opinions i.e. potentially misleading practices. These include fake reviews being posted onto review sites, negative reviews not being published, and businesses paying for endorsements in blogs and other online articles without this being made clear to consumers.
A recent piece by the BBC highlighted the mixed online reviews of a Manhattan restaurant to introduce the subject of how new technology could help to cut down on misleading practices in online reviews and endorsements. This could of course benefit businesses, customers, and those who are most likely to be influenced by reviews, those who haven’t tried your product or service before. Some of the new technology that could help to restore trust in online reviews includes:
‘Twizoo’ for Twitter. This mobile app from a start-up reportedly works by weeding out paid-for and out-of-date reviews. The advantage of this app is that it takes into account a reviewer’s full social media profile and their tweets over time, and allocates a quality score. This means that it is much more difficult for fake reviews to be posted from recently set up accounts, or for friends and family of the business to influence reviews. This quality based system also reduces the clout that tweets have after a period of 3 months. This reduces the ability of dishonest tweets to have a lasting effect on the business, plus it gives a more accurate picture of the service that potential users can expect at the current time.
Yelp - secret source code. This secret algorithm at Yelp reportedly weeds out overly enthusiastic 5 star reviews.
Amazon - multiple measures. As well as constantly reviewing its own readers’ star rated reviewing system, Amazon reportedly favours reviews by standard rather than discounted paying customers as a way of improving review quality. It is also reported to have brought lawsuits against over 1,000 defendants for reviews abuse.
The Walt Disney World Wristband. This wristband system gathers information about wearer and what services they have actually used at Walt Disney World to match against the reviews.
More of a Level Playing Field in Future
The wider adoption of quality based systems like these could quite simply provide more of level playing field for businesses and could help to protect you from some of the more obvious, frustrating and damaging reviews that you may have received as a result of potentially misleading practices. These systems may also make it more difficult for some businesses to unfairly influence reviews in their favour.
A ‘Distributed Denial of Service’ (DDoS) is just such an attack, and has such it has become a very popular way for criminals to inflict damage to businesses. As an IT Support Company in Hertfordshire we often receive questions and requests from our customers about which systems provide the highest levels of security and protection from the known cyber threats. Google is now offering a service called “Project Shield” that is reported to offer and extra degree of protection in the safety of its Cloud - BUT only for certain types of websites at the moment.
The Threat of DDoS Attacks
DDoS attacks such as the one that a used a Pingback feature loophole to leverage 26,000 Wordpress websites, and similar to the attacks launched on Xbox Live and PlayStation Network gaming can be very disruptive and damaging. With DDoS the perpetrator uses multiple compromised systems that are often infected with a Trojan virus to launch a single attack on one system. The result is to overwhelm that system rendering it unavailable. It is estimated that a DDoS attack can cost the criminal around £30 to execute (presumably excluding labour costs) and it can be ordered anonymously. For the business that is the focus of the attack the results can not only be the temporary disruption, but the fallout from that disruption which can include lost customers, bad press and damage to reputation. In monetary terms estimates of the average cost of this kind of attack to a business is around the £300,000 mark.
Help From Google’s “Project Shield”
For those who run news, human rights or elections sites which host “free expression” content some comfort and protection can now be gained from the fact that Google is now offering protection in the safety of its Cloud as part of what it is calling “Project Shield”. The free service is inviting applications through its website https://projectshield.withgoogle.com/public/ . According to Google’s Project Shield if the online application is approved the successful webmaster will be emailed the configuration instructions, and provided they have administrative privileges for the website, and they can modify DNS records, protection for DDoS attacks for their website can be set up in as little as 10 minutes.
How It Works
Google’s Project Shield uses a technology known as “reverse proxy” to route a website’s traffic through Google’s infrastructure (Google Cloud Platform), whereby “illegitimate traffic” can be stopped from reaching the server. Google suggests that the service is akin to “a train conductor only letting ticketed passengers aboard”. Although it is unlikely to noticeably affect a website’s performance, users from countries where Google’s IP addresses are blocked will not be able to access the content served through Project Shield.
The 12 month ‘David and Goliath’ battle between Pensioner Deric White from Pimlico in London and Apple over the incident resulted in a judge finding that Apple had been “negligent in the treatment of the claimant's telephone, causing the claimant’s loss of photographs of particular sentimental value, and the loss of all his contacts".
The counter argument by Apple’s spokesperson that Mr White hadn’t demonstrated that he’d lost anything was finally rejected because ‘difficulty’ in assessing damages didn’t mean that no compensation should be due to the Mr White. The London County Court judge finally awarded Mr White £2,000 in damages (£1,200 in compensation, and £800 in costs)
The Value of Backing Things Up
As a Hertfordshire based IT Support Company one of the important services we offer is online backup of our customers’ valuable files and data. The loss of files for businesses (and individuals like Mr White) can be very costly and disruptive, and it is always worth making sure that your have a robust backup in place. A system that works even in low bandwidth locations and with the support of locally placed backup provides a very secure backup solution.
In Mr White’s case it is unfortunate that he agreed to sign up for iCloud just after his phone’s bungled repair, at which point he was unaware that the photos, videos and contact information had already been lost. Even though Mr White received monetary damages, this is unlikely to be a substitute for his precious digital memories which included photos and videos of his once-in-a-lifetime honeymoon trip to the Seychelles.
How It Happened
Mr White’s loss of photos, videos, and contacts occurred when he took his Apple iPhone 5 to the Apple Store in Regent Street back in December 2014 in the hope that they could stop the text messages that he’s been receiving twice a day during his honeymoon asking him to re-set his password. The files were deleted by member of staff at the ‘Genius Bar’ in the store who tried to carry out a fix. Mr White, who had also just beaten cancer, said the loss of these precious digital memories had left his wife in tears and had left him livid. Mr White said that after being told that the problem with the phone had been “sorted”, he believed that the person knew what they had done and sent him on his way “like an imbecile”.
The kind of data that we’re talking about in this case is believed to be personal data like email addresses, phone numbers and dates of birth. One other worrying aspect of the theft is that the hacked database contained the last four digits of the credit / debit cards of around 100 customers who had purchased Wetherspoon vouchers online. Obviously this aspect of the theft could have been worse but the whole episode highlights some very important points for all businesses in terms of online and data protection.
Protecting Your Business From Cyber Criminals
As a company offering IT Support Services in Hertfordshire and beyond one of the services that demand has increased noticeably for is IT Security, not just for bigger organisations but also for SME businesses. The reasons for prioritising security are that there has been a well publicised increase in cyber crime against all kinds and sizes of businesses recently. The fuel for this trend has been fast technological change and IT developments combined with ever-more adept cyber criminals sharing and using more sophisticated and creative methods. Attacks like the one against JD Wetherspoon’s database are becoming all too common for businesses across South East England. With increased cyber crime and with the introduction of new data protection regulations next year it is worth making sure that your business is a protected now.
How The JD Wetherspoon Database Hack Took Place
In the case of JD Wetherspoon, the criminals, thought to be from a Russia-based hacker group, targeted a database that was linked to an old version of their website that was still with the old host. This is one of the most likely reasons why the crime that occurred back in June has only recently been detected. The stolen customer details are from those signed up to receive the Wetherspoon’s newsletter, registered with The Cloud to use Wi-Fi in their pubs, submitted a contact us form on the website, and / or bought vouchers online prior to August 2014.
Not Detected by JD Wetherspoon
One of the worrying aspects of this hack was that it wasn’t actually detected at all by JD Wetherspoon, but only came to light thanks to a cyber intelligence group called CyberInt. They made the discovery while investigating another case where the breach reportedly came up in their Argos Cyber Threat Intelligence Platform via one of its sources (a cyber-crime forum on the Dark Web). CyberInt now believe that the stolen information is likely to be sold on a forum run by Russian hacker ‘w0rm’, and that JD Wetherspoon is probably one of many ‘Big Names’ targeted by the same hacker group.
The motivation for this and many similar crimes is likely to be use of the stolen data to commit more crime such as theft (of money & identity) and fraud. This type of crime can have a serious negative effect on the lives of those whose data has been stolen and sold. It is also worth remembering too that a theft like this can also damage to the reputation and the brand value of the company that the data was stolen from. In the case of JD Wetherspoon the fact that there was such a long gap between the crime and its detection meant that it also didn’t allow any time for customers affected to take any precautionary steps to prevent the criminals from taking money from their bank accounts.
Since the crime’s detection the Information Commissioners Office (ICO) has been notified of the breach and a forensic investigation is now underway. JD Wetherspoon are reported to have said that that there are no indications that the stolen data has been used for fraudulent activity to date.
Protecting Your Business From Cyber Criminals
Falling victim to this kind of security breach and not reporting can mean large fines, greater reputational damage, and other legal consequences. Moves that you can make to protect your business include ensuring that security practices and systems are up to date and robust, and that they conform to best practice. The advice from the experts at CyberInt is that this can be best done by “collecting targeted cyber intelligence from thousands of sources including the dark web, the deep web, social networks and other sources, and by continuously assessing the organisation’s resilience to these attacks.”
Other research figures such as those by The Centre For Retail Research also appear to support this finding. Their figures show that in 2015 in the UK only 16.5% of online spending was done by smartphone, compared to 71.4% by PC and 12.1% by tablet. The same study showed even less purchasing online by smartphone in the rest of Europe - only 7%.
The most likely causes of this frustrating trend for businesses are the practicalities of handling a phone compared to a tablet or desktop. The current (and recent past) crop of mobile phones can be small and fiddly and can make it difficult to carry out many of the data input operations needed to make a purchase e.g. credit card and delivery address details.
Immediacy & A Good Response Rate
One advantage that mobile phones certainly have over the desktop or tablet for example is their immediacy i.e. they are always with us. This tends to mean that any special offers sent to then are likely to have a good response rate.
Although the use of smartphones to actually make a purchase appears to be less than you would expect, it is on the increase. For example UK Black Friday weekend shopping in November via smartphone totalled £472 million.
Possible Solutions To The Problem
Several new systems and different formats have been developed to help increase purchases made by mobile phones. Some high profile ones include:
After the initial wave of blackmail emails, it now seems that some ex members of the website are now receiving blackmail letters. Those targeted so far have been ex members living in Canada because this is where most of Ashley Madison’s members are based. The recent ‘snail mail’ extortionists are banking on those exposed members paying up to prevent their partners, wives and loved ones finding out that they were members of a website that appeared to facilitate affairs.
How Did This Happen?
It is widely believed that hackers calling themselves ‘The Impact Team’ were able to hack into a main database, and from there make several high profile data dumps, and put the on the ‘dark web’ where it could be accessed by cyber criminals using encrypted browsers. As well as the uncomfortable situation that many ex members find themselves in, it also seems like there could be more grief to come for Ashley Madison itself in the future. The hackers are reported as saying that they have 300 GB of employee emails in their possession, and tens of thousands of Ashley Madison user pictures and user messages.
The vast majority of Ashley Madison members / ex members who had their details stolen are reported to be men (an estimated maximum of 14% were women). Within only 48 hours of the reports of the security breach going public dozens of Canadian citizens contacted legal firms in order to file lawsuits against Ashley Madison. An early public casualty of the exposure was U.S. reality TV star and ironically former executive director of the anti-abortion and pro-marriage group Family Research Council Josh Duggar. He then resigned from the post and publicly confessed his infidelity. There have also been 2 suicides in Canada linked to the leak.
What Is The Relevance of This Story?
As an IT Support Company in Hertfordshire, the relevance of us telling you about a dating site security hack that mostly affected Canadian members is that hackers can operate from anywhere in the world, can be very sophisticated and cunning in their methods, and would be willing to target the data of any business, including yours if a) if you make it easy for them to do so and b) if it has a value. As we have put things like CRMs and larger and more sophisticated databases at the centre of our businesses we have all become more tempting targets for cyber criminals.
The Latest - The Blackmail Letters
Security expert blogger Graham Cluley has reported that some ex members of the website are now receiving blackmail demands through the post. These letters are reported to be asking for sums around the £3,000 mark in order for the receiver to avoid their membership of the website being made known to their loved ones. The advice from online security experts like Graham Cluley is for recipients of the blackmail letters to ignore the demands and to share the letter with the authorities.
The reality in 2016 is that whether you are an IT Support Company in Hertfordshire like us, an international business, or a local SME business in the South East, you are now at risk of an attack by cyber criminals. As we as a business community hear about more frequent and some very high profile cyber attacks, we are now prioritising our online and data security, and listening more to what the professionals have to say.
The New Norton Cyber Security Report
One of the main messages that the new Norton Cyber Security Report appears to deliver is that even though we may assume that the millennial generation are the most teach-savvy generation, they are also the generation who are less likely to heed warnings about cyber crime. This is surprising when you consider that they also the generation who are likely to have been informed most about the reports of cyber crime e.g. through their use of social media and due to the fact that the Web as one of if not the main source of news and information has only come about during their lifetime.
What the Stats Say
We as global consumers have spent an average of 21 hours and $358 per person over the last year dealing with online crime, and although the fear of cyber crime exists in the home and workplace, action to reduce the risks is often lacking.
Why Are the Millennial Generation More at Risk?
1. According to the 2016 Norton Security Report they are less security conscious when it comes to choosing and using passwords. 32 % of millennials in the UK share their passwords for online services compared to 13 % of baby boomers. Only 33% of millennials said they always use a secure password (the 8 character letter and number mix) compared to 49% of baby boomers. 2. One in five millennials for example felt like their chances of being compromised by cybercrime was negligible. This indicates that they appear to perceive less risk and don’t seem to fear the consequences of security breaches. These 2 factors together go some way towards explaining why 31% of millennials say they fallen victim to cyber crime.
The Lessons For Business
Based on the findings of the 2016 Norton Cyber Security Report business owners should not to assume that just because someone is young they are necessarily more web savvy, and therefore less of a security risk. To maintain an effective defence against cyber attack all staff members, regardless of age, should be briefed and made aware of how to work in a secure and compliant way online.
Other findings in the report such as the fact that nearly half of the millennials surveyed rely on credit card companies to protect them after a hack, could also suggest that younger staff members may be less prone to taking responsibility for the results of security breaches as well as being less cautious in the first place. This could suggest that they are more likely to be the source of security breaches and therefore may need frequent reminders of the risks and of your organisations security procedures and policies.
No matter what the industry, communication and efficiency are key. In recent years advances in email and mobile phone technology have helped pave the way to staying connected. But the Cloud is taking over!
Office 365 is a cloud-based service, taking the industry’s most recognised software and making it accessible from wherever you are in the world. With high tech security controls and back up systems in place, using Office 365 enables you to have remote access to emails, documents, contacts and calendars at the touch of a button. This eliminates paper work and saves time, ultimately improving efficiency and productivity in the workplace.
Employees will find transition to Office 365 smooth and efficient as it also runs the standard Microsoft software such as Word, PowerPoint, Excel and Publisher.
Using a standard Internet connection, this cloud offering allows both office-based and remote workers to access live information at any given time, supported with features such as instant messaging to drive productivity and help stay connected.
Skype for Business plays a big part in cloud software, being a key tool in bringing international companies closer together. Skype for Business offers the opportunity to host video conference calls to any worldwide location. This significantly reduces travel time, expenditure and other associated costs.
With any cloud-based software you also gain the advantage of being up-to-date at all times, with upgrades and downloads to install as they become available. This method of upgrading eliminates any associated costs that would normally be spent on engineers and IT specialists.
This saving can also be seen with hosted cloud services. Data centres have been set up around the UK and worldwide, home to all the required computer hardware and servers. Operated and run by IT specialists, the data centres are manned 24 hours a day, 7 days a week, to ensure servers are fully operational at all times. You essentially get all the benefits of an in-house server without the upfront and running costs making this an ideal option for new start-up businesses as well as SME’s looking to expand.
Ultimately, cloud-based solutions have transformed work processes so much that they are set to stay. They offer a company the opportunity to work in a modern, efficient and well-connected environment. However, with all your data located off-site you need to work with a company that you can trust. GCIS are IT specialists and offer a comprehensive range of technology solutions, from structured cabling, access control and telecom solutions, as well as a range of cloud solutions.
GCIS understand that no two businesses are the same and have a wide and varied portfolio working with small start-up businesses through to large corporate enterprises, offering bespoke products to suit any requirement. For more information on their range of services you can call 01438 347090 or email firstname.lastname@example.org.
Whilst our old website served us well, we decided that it was time to launch a new and improved version that reflects the company offering in 2015. Additionally we have created the website to be 'Mobile Friendly' ahead of the forthcoming Google update.
We hope you enjoy using the website and find that it provides the information you need quickly, with a minimum of hassle.
If you have any feedback, please get in touch.